Bug 426218 - (CVE-2007-6285) CVE-2007-6285 autofs default doesn't set nodev in /net
CVE-2007-6285 autofs default doesn't set nodev in /net
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 426219 426220 426221 426222 426399 426400 426401
  Show dependency treegraph
Reported: 2007-12-19 07:50 EST by Josh Bressers
Modified: 2010-02-23 23:51 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-09 04:40:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2007-12-19 07:50:25 EST
It was reported to secalert@redhat.com that the autofs defaults do not set the
nodev NFS option.

bug 410031 notes the missing nosuid option by default for the /net autofs
filesystems, the fix for that issue did not take into account that there was
also a missing nodev option for these filesystems.

Without the nodev option, it is possible for an attacker to mount a remote
filesystem which could give them access to various devices that should normally
have restricted access, such as /dev/mem, and various hardware devices.


Red Hat would like to thank Tim Baum for reporting this issue.
Comment 8 Tomas Hoger 2007-12-20 14:19:59 EST
Lifting embargo.
Comment 9 Tomas Hoger 2007-12-20 14:54:15 EST
Fixed now in affected version of Red Hat Enterprise Linux:

Comment 10 Tomas Hoger 2008-01-09 04:40:46 EST
Updates now available also in stable Fedora repositories:


Note You need to log in before you can comment on or make changes to this bug.